What to Know About Third-Party Cybersecurity Risks

Featured article by Susan Melony, Independent Technology Author

What cybersecurity companies and experts know is that for organizations, there is a risk not from their internal systems, but there are also third-party risks. A few years ago, it was enough for most businesses to focus primarily on their own cyber defense and protection, but now that’s not enough.

The Ponemon Institute did a survey of more than 1,000 CISOs as well as other risk and security professionals in both the U.S. and the U.K. The survey looked at the challenges companies face in terms of protecting their data and sensitive information that’s shared with their vendors and third-party partners.

The findings showed that 59% of respondents said they’d experienced a data breach caused by a vendor or third-party. The U.S. saw an even higher share—61%.

Many of these breaches also go undetected, and 22% of respondents said they didn’t know if they’d had a third-party breach in the past 12 months.

Why the Increase in Third-Party Breaches?

One of the primary reasons that third-party breaches have become so prevalent is fairly simple—companies are increasingly relying on a number of third-party vendors and partners. Organizations share sensitive and confidential information with around 538 third parties on average, but only 34% report having an in-depth inventory of the third parties.

There is a significant lack in centralized control based on survey results, with 69% of respondents saying the main reason for not having a comprehensive inventory is because they don’t have centralized control over third-party vendors and applications.

Many companies also don’t feel like it’s a priority to manage all of their third-party relationships.

Essentially, you may have stringent control over your own environment, but then you’re actually giving up that control when you work with third parties.

Risk Mitigation

When it comes to third-party relationships, you need to be just as focused on risk mitigation as you are with your internal environment.

For example, you can start by first and foremost teaching all of your employees about cybersecurity best practices. Beyond that, you want multi-factor authentication and role-based authorization as much as is possible.

A few specific practices to consider include:

• You should map out your data flow in its entirety. The most important thing you can do to protect your organization is to be able to track your data quickly and easily in both physical and digital formats. Then this allows you to ensure more accountability throughout in addition to controls and monitoring.
• Always be aware of how third parties protect their data. You need to consider privacy and data laws where the vendor processes data, and you’ll want to deep dive into their security controls. Create risk profiles for each vendor that are individualized.
• You might consider outsourcing your assessments and risk management to a professional company.
• Don’t forget about those vendors that you might not necessarily think of as being high-risk, or even think of at all in your risk assessments. For example, consider the marketing tools you use. There was at one point, an Evite breach that exposed the information of millions of users. It was business information that was primarily exposed during that breach, even though we most often associate Evite as being a B2C company.
• Know the industry standards for risk management. Every industry has its own set of best practices in terms of cybersecurity and risk management, and you’ll need to be aware of what these are as you’re choosing and maintaining your relationship with vendors.
• If you’re a large organization working with hundreds or more vendors, you’ll probably need some type of software to help you keep track and manage risk.

Also, make sure that you keep up with regular assessments and go over all of your vendors’ and partners’ policies and programs on a regular basis.

There’s no doubt that networks and ecosystems will continue to grow in their complexity for businesses of all sizes. You’ll need specialty services more and more, which undoubtedly means more and more opportunities for attacks to occur. Malware is one of the primary ways that cyberattackers use third parties to get entry into business networks.

Be aware of the risks, and create real strategies to keep up with all of your third-party vendors, even if they seem somewhat inconsequential in the overall scheme of your cybersecurity.

Keeping up with risks is an ever-growing responsibility, but one that also becomes more important every year.

Dedicate the necessary time and resources to your internal systems and your vendors.